CVE-2021-33909 & CVE-2021-33910 – Long Path Name in Mountpoint Flaws in the Kernel and Systemd

Summary

On July 20th, two CVEs – CVE-2021-33909 and CVE-2021-33910 related to Long Path Name in Mountpoint Flaws in the Kernel and Systemd – were publicly disclosed as vulnerabilities that affect Linux distributions. Each CVE requires local access to an already-compromised machine, and exploitation of each CVE involves exploiting flaws surrounding long directory paths.

CVE-2021-33909 is a type conversion vulnerability that exists within the Linux kernel’s filesystem layer. This vulnerability effectively allows a local, non-privileged user to execute commands with root privileges or to crash the operating system. To exploit this vulnerability, an adversary needs to have already gained access to a compromised host. The Qualys advisory states that “if an unprivileged local attacker creates, mounts, and deletes a deep directory structure whose total path length exceeds 1GB” then the adversary can execute commands as root or crash the system.

CVE-2021-33910 is a vulnerability found in systemd, a system and service manager for Linux distributions. Exploiting this vulnerability can cause the local system to crash. To successfully exploit this systemd vulnerability, an adversary needs to have already gained access to a compromised host. The adversary can then create and mount a filesystem with a file path length exceeding 8MB in order to crash systemd and thus crash the local system.

Affected Versions

CVE-2021-33909: All Linux kernel versions from 2014 onwards are vulnerable.
CVE-2021-33910: All systemd versions from April 2015 onwards are vulnerable.

Impact

CVE-2021-33909

An unprivileged user can gain root privileges on a vulnerable host or cause a denial of service on a vulnerable host. Qualys security researchers were able to verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10,

Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Qualys believes that other Linux distributions are likely vulnerable and probably exploitable.

CVE-2021-33910

Successful exploitation of this vulnerability allows any unprivileged user to cause a denial of service via kernel panic. This vulnerability was introduced in systemd v220 (April 2015) by commit 7410616c (“core: rework unit name validation and manipulation logic”), which replaced a strdup() in the heap with a strdupa() on the stack.

Workarounds

CVE-2021-33909

Qualys has provided mitigations, but they warn that the mitigations “prevent only our specific exploit from working (but other exploitation techniques may exist); to completely fix this vulnerability, the kernel must be patched.” Qualys’ mitigations are provided below:

“Set /proc/sys/kernel/unprivileged_userns_clone to 0, to prevent an attacker from mounting a long directory in a user namespace. However, the attacker may mount a long directory via FUSE instead; we have not fully explored this possibility, because we accidentally stumbled upon CVE-2021-33910 in systemd: if an attacker FUSE-mounts a long directory (longer than 8MB), then systemd exhausts its stack, crashes, and therefore crashes the entire operating system (a kernel panic).”

“Set /proc/sys/kernel/unprivileged_bpf_disabled to 1, to prevent an attacker from loading an eBPF program into the kernel. However, the attacker may corrupt other vmalloc()ated objects instead (for example, thread stacks), but we have not investigated this possibility.”

CVE-2021-33910

Qualys recommends users apply patches for this vulnerability immediately.

Vulnerability Detection

CVE-2021-33909

  • Qualys –
    • QID: 375710 Linux Kernel Local Privilege Escalation Vulnerability (Sequoia)
    • VulnSigs Version: VULNSIGS-2.5.237-3 / lx_manifest-2.5.237.3-2
  • Tenable – No plugin has been released for the specific CVE as of the time of this writing.
    • Informational Plugin 800110 for Linux OS Kernel Detection
    • Assume any affected OS version needs to be patched

CVE-2021-33910

  • Qualys –
    • QID: 375711 Linux systemd Denial of Service Vulnerability
    • VULNSIGS-2.5.237-3 / lx_manifest-2.5.237.3-2
  • Tenable – No plugin has been released for the specific CVE as of the time of this writing.

Supporting Information

Learn more about Deepwatch Vulnerability Management services and how we protect our customers from CVE-2021-33909 & CVE-2021-33910 – Long Path Name in Mountpoint Flaws in the Kernel and Systemd and other vulnerabilities.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog